mlgualtieri / CSS-Exfil-Protection

Official repository for the CSS Exfil Protection browser extensions.
MIT License
155 stars 11 forks source link

CSS Exfil Vulnerability Tester Issue #36

Closed SeriousHoax closed 2 years ago

SeriousHoax commented 2 years ago

In Firefox, when the extension https://addons.mozilla.org/en-US/firefox/addon/dark-background-light-text/ is installed, the tester page shows that your browser is not vulnerable and, when disabled, shows vulnerable. Is this bug of the test method or the said extension is somehow unintentionally protecting from the CSS Exfil Vulnerability?

Here, "Dark Background and Light Text" is enabled, image

Here, "Dark Background and Light Text" is disabled, image

Note: In both cases, your extension "CSS-Exfil-Protection" is not installed in the browser. Github of Dark Background and Light Text: https://github.com/m-khvoinitsky/dark-background-light-text-extension

mlgualtieri commented 2 years ago

I'm not very familiar with this extension, but browsing the source code it looks like it works by changing some of the page CSS, specifically the background colors on elements. What I think is happening is that the new CSS injected by the plugin is disrupting the CSS used on the test page, and as such it's showing as not vulnerable. If that's the case, it's actually true, and CSS injection did not occur. This won't disrupt all CSS exfil attack vectors, but it looks like it (unintentionally) does disrupt some of the vectors.